- 14 Aug, 2020 11 commits
-
-
Wen Gong authored
When simulate random transfer fail for sdio write and read, it happened "payload length exceeds max htc length" and recovery later sometimes. Test steps: 1. Add config and update kernel: CONFIG_FAIL_MMC_REQUEST=y CONFIG_FAULT_INJECTION=y CONFIG_FAULT_INJECTION_DEBUG_FS=y 2. Run simulate fail: cd /sys/kernel/debug/mmc1/fail_mmc_request echo 10 > probability echo 10 > times # repeat until hitting issues 3. It happened payload length exceeds max htc length. [ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 .... [ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 4. after some time, such as 60 seconds, it start recovery which triggered by wmi command timeout for periodic scan. [ 269.229232] ieee80211 phy0: Hardware restart was requested [ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered The simulate fail of sdio is not a real sdio transter fail, it only set an error status in mmc_should_fail_request after the transfer end, actually the transfer is success, then sdio_io_rw_ext_helper will return error status and stop transfer the left data. For example, the really RX len is 286 bytes, then it will split to 2 blocks in sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the first 256 bytes get an error status by mmc_should_fail_request,then the left 30 bytes will not read in this RX operation. Then when the next RX arrive, the left 30 bytes will be considered as the header of the read, the top 4 bytes of the 30 bytes will be considered as lookaheads, but actually the 4 bytes is not the lookaheads, so the len from this lookaheads is not correct, it exceeds max htc length 4088 sometimes. When happened exceeds, the buffer chain is not matched between firmware and ath10k, then it need to start recovery ASAP. Recently then recovery will be started by wmi command timeout, but it will be long time later, for example, it is 60+ seconds later from the periodic scan, if it does not have periodic scan, it will be longer. Start recovery when it happened "payload length exceeds max htc length" will be reasonable. This patch only effect sdio chips. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029. Signed-off-by:
Wen Gong <wgong@codeaurora.org> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org
-
Alexander A. Klimov authored
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by:Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by:
-
Julia Lawall authored
list_for_each_entry{_safe} is able to handle an empty list. The only effect of avoiding the loop is not initializing the index variable. Drop list_empty tests in cases where these variables are not used. Note that list_for_each_entry{_safe} is defined in terms of list_first_entry, which indicates that it should not be used on an empty list. But in list_for_each_entry{_safe}, the element obtained by list_first_entry is not really accessed, only the address of its list_head field is compared to the address of the list head, so the list_first_entry is safe. The semantic patch that makes this change for the list_for_each_entry case is as follows: (http://coccinelle.lip6.fr/) <smpl> @@ expression x,e; statement S; identifier i; @@ -if (!(list_empty(x))) list_for_each_entry(i,x,...) S ... when != i ? i = e </smpl> Signed-off-by:Julia Lawall <Julia.Lawall@inria.fr> Signed-off-by:
-
Gustavo A. R. Silva authored
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-throughSigned-off-by:
Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by:
-
Loic Poulain authored
Instead of using the firmware generated sequence number, use the one already allocated by the mac80211 layer. This allows better control of the sequence numbers and avoid to rely on same sequence for Data, QOS Data and QOS Null Data packets. Signed-off-by:
Loic Poulain <loic.poulain@linaro.org> Signed-off-by:
-
Loic Poulain authored
This patch contains the following fixes: - Use correct queue for submitting QoS packet. The queue id to use is a one-to-one mapping with the TID. - Don't encrypt a frame with IEEE80211_TX_INTFL_DONT_ENCRYPT flag. - Use the 'special queue' for null packets, preventing the firmware to submit it as AMPDU. Signed-off-by:
-
Loic Poulain authored
Increase the short/long retry limit to 15 in order to impove TX robustness in noisy/busy environment. 15 is the default value defined in the downstream driver. Observed number of ack timeout is reduced with this change. Signed-off-by:
-
Loic Poulain authored
The controller is capable of reporting TX indication which can be used to report TX ack when IEEE80211_TX_CTL_REQ_TX_STATUS is set. The support was only partially implemented. The firmware can be configured for reporting event when a packet is acked, without specifying which packet though. In order to send a packet flagged with TX status callback, we need to stop the queue, submit the packet and wait for the firmware ack event. Then the queue can be restarted and mac80211 status callback called. In case the packet is not acked, no ack event will be received, therefore a timeout mechanism is introduced to restart the queue and call the status cb in case no event is received after a 100ms. Signed-off-by:
-
Loic Poulain authored
Several AMPDU sessions can be started, e.g. for different TIDs. Currently the driver does not take care of the session ID when requesting block-ack (statically set to 0), which leads to never block-acked packet with sessions other than 0. Fix this by saving the session id when creating the ba session and use it in subsequent ba operations. This issue can be reproduced with iperf in two steps (tid 0 strem then tid 6 stream). 1.0 iperf -s # wcn36xx side 1.1 iperf -c ${IP_ADDR} # host side Then 2.0 iperf -s -u -S 0xC0 # wcn36xx side 2.1 iperf -c ${IP_ADDR} -u -S 0xC0 -l 2000 # host side Signed-off-by: -
Pavel Machek authored
Typo "destoy" made me wonder if correct patch is wrong; fix it. No functional change. Signed-off-by:
Pavel Machek (CIP) <pavel@denx.de> Signed-off-by:
-
Alexander A. Klimov authored
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by:
-
- 20 Jul, 2020 2 commits
-
-
Zekun Shen authored
The idx in __ath10k_htt_rx_ring_fill_n function lives in consistent dma region writable by the device. Malfunctional or malicious device could manipulate such idx to have a OOB write. Either by htt->rx_ring.netbufs_ring[idx] = skb; or by ath10k_htt_set_paddrs_ring(htt, paddr, idx); The idx can also be negative as it's signed, giving a large memory space to write to. It's possibly exploitable by corruptting a legit pointer with a skb pointer. And then fill skb with payload as rougue object. Part of the log here. Sometimes it appears as UAF when writing to a freed memory by chance. [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 [ 15.595483] #PF: supervisor write access in kernel mode [ 15.596250] #PF: error_code(0x0002) - not-present page [ 15.597013] PGD 0 P4D 0 [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core Signed-off-by:Zekun Shen <bruceshenzk@gmail.com> Signed-off-by:
-
Bolarinwa Olayemi Saheed authored
On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 & x). This bug can be avoided without changing the function's behaviour if the return value of pcie_capability_read_dword is checked to confirm success. Check the return value of pcie_capability_read_dword() to ensure success. Suggested-by:
Bjorn Helgaas <bjorn@helgaas.com> Signed-off-by:
Bolarinwa Olayemi Saheed <refactormyself@gmail.com> Signed-off-by:
-
- 23 Jun, 2020 13 commits
-
-
Kalle Valo authored
It's just a duplicate of ATH11K_DEFAULT_CAL_FILE. Signed-off-by:
-
Kalle Valo authored
These defines are not used anywhere else so to avoid extra indirection add the values directly to hw_params. No functional changes. Compile tested only. Signed-off-by:
-
Kalle Valo authored
Use simplified format, just like ath10k uses, which is easier to read. Compile tested only. Signed-off-by:
-
Kalle Valo authored
ath11k should not be spamming these to the logs. If these are important they should be debug messages, but I just remove them for now. Compile tested only. Signed-off-by:
-
Kalle Valo authored
Use the helper added in previous comment to create the full path, instead of doing it manually. No functional changes. Compile tested only. Signed-off-by:
-
Kalle Valo authored
The downside of using defines in struct ath11k_hw_params.fw.dir is that it's easy to get it wrong as the full path is not visible. So drop the use of defines and instead create the patch runtime using a static inline function ath11k_core_create_firmware_path(). Hopefully this reduces the chances of using incorrect firmware path. No functional changes. Compile tested only. Signed-off-by:
-
Kalle Valo authored
To avoid duplicating the logic how the full firmware path is created create a common function ath11k_core_firmware_request() and convert also qmi.c to use it. Also remove a useless info print, it's more like a debug message anyway. No functional changes. Compile tested only. Signed-off-by:
-
Anilkumar Kolli authored
bdf-addr is different for IPQ8074 and IPQ6018 so add it to hw_params. No functional changes. Compile tested only. Signed-off-by:
Anilkumar Kolli <akolli@codeaurora.org> Signed-off-by:
-
Anilkumar Kolli authored
pdev_id to hw_mac is different for ipq8074 and ipq6018 Below table has the mapping pdev_id ipq8074 ipq6018 ------- ------- ------- 0 0 0 1 2 1 2 1 Not applicable No functional changes. Compile tested only. Signed-off-by:
-
Anilkumar Kolli authored
IPQ6018 needs different value for max_radios so make it configurable via hw_params. No functional changes. Compile tested only. Signed-off-by:
-
Anilkumar Kolli authored
Convert to ath11k_hw_params to an array to make it possible add new hardware in the future, for example IPQ6018 or QCA6390. No functional changes. Compile tested only. Signed-off-by:
-
Anilkumar Kolli authored
This is needed to init .max_radios in hw_params and onfigure external interrupts for available pdev_ids. Compile tested only. Signed-off-by:
-
Zekun Shen authored
A compromized ath10k peripheral is able to control the size argument of memcpy in ath10k_pci_hif_exchange_bmi_msg. The min result from previous line is not used as the size argument for memcpy. Instead, xfer.resp_len comes from untrusted stream dma input. The value comes from "nbytes" in ath10k_pci_bmi_recv_data, which is set inside _ath10k_ce_completed_recv_next_nolock with the line nbytes = __le16_to_cpu(sdesc.nbytes); sdesc is a stream dma region which device can write to. Signed-off-by:
-
- 16 Jun, 2020 6 commits
-
-
Anilkumar Kolli authored
Rename default BDF to make it consistent with board-2.bin naming. Signed-off-by:
-
Anilkumar Kolli authored
We need this so that all hardware versions can coexist and it's easier to manage everything then all hardware directories are under ath11k directory. Copy ath11k firmware files to /lib/firmware/ath11k/IPQ8074/hw2.0/ Signed-off-by:
-
Loic Poulain authored
Packet encoding, bandwidth and bitrate can be derived from the wcn36xx rate_idx, part of the buffer descriptor. Signed-off-by:
-
Venkateswara Naralasetty authored
It is expected that the returned counters by .get_survey are monotonic increasing. But the data from ath10k gets reset to zero regularly. Channel active/busy time are then showing incorrect values (less than previous or sometimes zero) for the currently active channel during successive survey dump commands. example: $ iw dev wlan0 survey dump Survey data from wlan0 frequency: 5180 MHz [in use] channel active time: 54995 ms channel busy time: 432 ms channel receive time: 0 ms channel transmit time: 59 ms ... $ iw dev wlan0 survey dump Survey data from wlan0 frequency: 5180 MHz [in use] channel active time: 32592 ms channel busy time: 254 ms channel receive time: 0 ms channel transmit time: 0 ms ... The correct way to handle this is to use the non-clearing WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will then accumulate the survey data and handle wrap arounds. Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057 Tested-on: QCA988X hw2.0 10.2.4-1.0-00047 Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024 Tested-on: QCA4019 hw1.0 10.4-3.6-00140 Fixes: fa7937e3 ("ath10k: update bss channel survey information") Signed-off-by:
Venkateswara Naralasetty <vnaralas@codeaurora.org> Tested-by:
Markus Theil <markus.theil@tu-ilmenau.de> Tested-by:
John Deere <24601deerej@gmail.com> [sven@narfation.org: adjust commit message] Signed-off-by:
Sven Eckelmann <sven@narfation.org> Signed-off-by:
-
Venkateswara Naralasetty authored
When tx status enabled, retry count is updated from tx completion status. which is not working as expected due to firmware limitation where firmware can not provide per MSDU rate statistics from tx completion status. Due to this tx retry count is always 0 in station dump. Fix this issue by updating the retry packet count from per peer statistics. This patch will not break on SDIO devices since, this retry count is already updating from peer statistics for SDIO devices. Tested-on: QCA9984 PCI 10.4-3.6-00104 Tested-on: QCA9882 PCI 10.2.4-1.0-00047 Signed-off-by:
-
Douglas Anderson authored
On wcn3990 we have "per_ce_irq = true". That makes the ath10k_ce_interrupt_summary() function always return 0xfff. The ath10k_ce_per_engine_service_any() function will see this and think that _all_ copy engines have an interrupt. Without checking, the ath10k_ce_per_engine_service() assumes that if it's called that the "copy complete" (cc) interrupt fired. This combination seems bad. Let's add a check to make sure that the "copy complete" interrupt actually fired in ath10k_ce_per_engine_service(). This might fix a hard-to-reproduce failure where it appears that the copy complete handlers run before the copy is really complete. Specifically a symptom was that we were seeing this on a Qualcomm sc7180 board: arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdd45780, fsynr=0x30003, cbfrsynra=0xc1, cb=10 Even on platforms that don't have wcn3990 this still seems like it would be a sane thing to do. Specifically the current IRQ handler comments indicate that there might be other misc interrupt sources firing that need to be cleared. If one of those sources was the one that caused the IRQ handler to be called it would also be important to double-check that the interrupt we cared about actually fired. Tested-on: WCN3990 SNOC WLAN.HL.3.2.2-00490-QCAHLSWMTPL-1 Signed-off-by:
Douglas Anderson <dianders@chromium.org> Signed-off-by:
-
- 15 Jun, 2020 8 commits
-
-
Kalle Valo authored
Merge tag 'iwlwifi-next-for-kalle-2020-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next First set of patches intended for v5.9 * Fix links to wiki; * Some preparations for gcc-10; * Make FW reconfiguration quieter by not using warn level; * Some other small fixes and clean-up; # gpg: Signature made Thu 11 Jun 2020 12:03:51 PM EEST using RSA key ID 1A3CC5FA # gpg: Good signature from "Luciano Roth Coelho (Luca) <luca@coelho.fi>" # gpg: aka "Luciano Roth Coelho (Intel) <luciano.coelho@intel.com>"
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for v5.9. Major changes: ath11k * add 6G band support * add spectral scan support
-
Venkateswara Naralasetty authored
Currently need ptk/gtk wmi peer flags in wmi peer assoc cmd are set based on the rsnie and wpaie of the bss from the bss list. Since this bss list is not updated with current BSSID for AP mode, we may not find bss from the bss list. Which results in ptk/gtk peer flags are not set in the wmi peer assoc cmd. Due to this EAPOL frames are going in data rates instead of management rates. Tested-on: IPQ8074 WLAN.HK.2.1.0.1-01228-QCAHKSWPL_SILICONZ-1 Signed-off-by:
-
Sriram R authored
Add support for collecting and dumping the ring backpressure stats via debugfs. Stats are dumped only if events are received for the specific ring. Below command can be used to obtain these stats as part of soc dp stats. cat /sys/kernel/debug/ath11k/ipq8074/soc_dp_stats Sample Output - When No stats available: Backpressure Stats ================== No Ring Backpressure stats received Sample Output - When ring bp stats available for specific ring Backpressure Stats ================== Ring: REO2SW1_RING count: 1 hp: 2 tp: 2 seen before: 4ms Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01213-QCAHKSWPL_SILICONZ-1 Signed-off-by:
Sriram R <srirrama@codeaurora.org> Signed-off-by:
-
Sriram R authored
Add support for dp tx error stats which logs tx failure reasons due to ring full condition, etc. This stats is added in soc_dp_stats which was earlier used as soc_rx_stats so that all dp related info are logged in same file. Below is an example usage, root@OpenWrt:/# cat /sys/kernel/debug/ath11k/ipq8074/soc_dp_stats SOC RX STATS: err ring pkts: 0 Invalid RBM: 0 <snip> SOC TX STATS: Ring Full Failures: ring0: 4 ring1: 3 ring2: 5 Misc Transmit Failures: 2 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01213-QCAHKSWPL_SILICONZ-1 Signed-off-by:
-
Sowmiya Sree Elavalagan authored
Removed reo cmd lock and unlock which was acquiring the lock immediately after unlock. Done for code clean up. Signed-off-by:
Sowmiya Sree Elavalagan <ssreeela@codeaurora.org> Signed-off-by:
-
Karthikeyan Periyasamy authored
spectral scan control interface is exposed through debugfs eentry. Relayfs is used to collect the spectral data. These interfaces are similar to ath10k spectral. spectral debugfs interfaces are below, echo background > /sys/kernel/debug/ieee80211/phy0/ath11k/spectral_scan_ctl echo trigger > /sys/kernel/debug/ieee80211/phy0/ath11k/spectral_scan_ctl iw dev wlan0 scan echo disable > /sys/kernel/debug/ieee80211/phy0/ath11k/spectral_scan_ctl cat /sys/kernel/debug/ieee80211/phy0/ath11k/spectral_scan0 > fft_samples.dump Tested-on: IPQ8074 WLAN.HK.2.1.0.1-01228-QCAHKSWPL_SILICONZ-1 Signed-off-by:
Karthikeyan Periyasamy <periyasa@codeaurora.org> Signed-off-by:
-
Karthikeyan Periyasamy authored
Add direct buffer ring (dbring) with helper API, which is used by the spectral scan. Initialise the direct buffer ring based on the dma ring capability, which get announced in the wmi service ready extended event. This ring is slightly changed from data path rings. Compare to data path ring this ring shares the hp and tp address to firmware though WMI commands. Also the replenish buffer size is derived from firmware announcement. driver receive indication through WMI event WMI_PDEV_DMA_RING_BUF_RELEASE_EVENTID. Tested-on: IPQ8074 WLAN.HK.2.1.0.1-01228-QCAHKSWPL_SILICONZ-1 Signed-off-by:
-
